Privacy Policy

Your privacy is important to us. This Privacy Policy explains how GentleStep collects, uses, discloses, and safeguards your information when you use our service.

We use the information we collect to:

• Provide, operate, and maintain our taper planning service
• Sync your data securely across your devices
• Send you reminders and notifications you've opted into
• Improve and personalize your experience
• Process payments and manage subscriptions
• Communicate with you for customer service and support

We do not sell personal data. We share data only with essential service providers necessary to operate GentleStep:

• Authentication providers (Apple, Google, Facebook) for secure sign-in
• Payment processing (Stripe) for web subscriptions
• Email delivery (SendGrid) for account and notification emails
• Hosting and infrastructure (DigitalOcean App Platform; managed Postgres)
• Push notification delivery (Apple APNs, Google FCM)
• Optional AI providers (OpenAI) only when you opt in

If you need a copy of our processor agreements or an updated subprocessor list, contact support.

We implement appropriate technical and organizational security measures to protect your personal information. Authentication uses secure tokens and all data is transmitted over HTTPS.

Cookies are used only for session security; we do not use advertising or tracking cookies.

We use only essential cookies to keep you signed in and secure your session (e.g., refresh tokens). We do not use analytics, advertising, or cross-site tracking cookies.

You can block cookies in your browser, but doing so may prevent sign-in or session persistence.

Some processors may handle data outside your region. When required, we use EU Standard Contractual Clauses (SCCs) or equivalent safeguards with these providers:

• Stripe (payments), SendGrid/Twilio (email), OpenAI (optional AI features)
• Apple/Google/Facebook sign-in (authentication)
• Infrastructure/hosting providers (e.g., DigitalOcean managed Postgres/App Platform)

Optional AI features are off by default; if you opt in, your inputs may be processed by OpenAI under their SCCs and DPA.

We keep your account data while your account remains active. You may disconnect a sign-in method at any time from the GentleStep app settings. Some providers may also allow removal within their own settings. You can withdraw health-data consent in the app; doing so will block health features until you re-grant consent.

You can export your data or delete your account from the GentleStep app settings. If you need help, email [email protected].

Backups are retained 30–90 days for disaster recovery and are not used to restore deleted accounts. If a backup must be restored, previously completed deletions will be re-applied.

Commerce/gifting: invite emails and claim codes are stored only as needed (claim codes are hashed and encrypted); Stripe subscription/payment references are kept for billing. Commerce records are retained for up to 12 months for accounting/support and then redacted (invite email, claim codes, Stripe IDs).

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and data
• Disconnect third-party sign-in providers in the app settings
• Withdraw and re-grant health-data consent in the app settings
• Export your data

Data deletion instructions are available at gentlestep.app/data-deletion.html.

If you have questions or comments about this Privacy Policy, please contact us at [email protected].

While we strive for accuracy, GentleStep cannot guarantee that the content on this page is free from errors, omissions, or typographical mistakes. We reserve the right to update or modify this information at any time without prior notice.